We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

CIPP/E UPDATES 2025 - NEW EDPB GUIDANCE ON MAIN ESTABLISHMENT

  • 22Academy
  • Blog
  • CIPP/E UPDATES 2025 - NEW EDPB GUIDANCE ON MAIN ESTABLISHMENT
CIPP/E Updates 2025 - New EDPB Guidance on Main Establishment
27 Jul

CIPP/E Updates 2025 - New EDPB Guidance on Main Establishment

463 | CIPP-E Preparation | CIPP-E Updates 22Academy EDPB Main Establishment gdpr

This article is part of a multi-part series to prepare you for the updated 2025 CIPP/E curriculum. Each part focuses on specific new content areas added to the exam. One major update now included in the official learning objectives is the European Data Protection Board’s (EDPB) Opinion 04/2024 on the concept of main establishment. This opinion directly affects how candidates must understand the one-stop shop mechanism under the GDPR. If you are sitting for the 2025 exam, you should be prepared to answer detailed questions about it.

The One-Stop Shop and Why Main Establishment Matters

The GDPR’s “one-stop shop” framework is intended to simplify regulatory oversight for organizations that operate across multiple EU member states. Instead of interacting with a different supervisory authority in each country, qualifying organizations may engage primarily with a single lead supervisory authority (LSA).

The ability to use this mechanism is not automatic. It depends entirely on correctly identifying a main establishment within the EU. This is where the controller makes critical decisions about personal data processing and has the authority to implement those decisions. The EDPB’s 2024 opinion brings much-needed clarification to this concept and defines exactly what kind of evidence is needed to support such a designation.

Without a valid main establishment, an organization risks having to deal with multiple authorities, losing the procedural efficiencies and predictability the one-stop shop is designed to provide.

Definition of Main Establishment

Understanding what qualifies as a main establishment is essential not only for GDPR compliance but also for success on the CIPP/E exam. This concept has been refined by regulators to emphasize function over form.

What the GDPR Requires

The General Data Protection Regulation defines "main establishment" in Article 4(16)(a) for controllers as the location within the EU where the decisions on the purposes and means of processing personal data are made. It must also be the site where these decisions are actually implemented.

For processors, the main establishment is defined as the location of the central administration, unless decisions about processing are made in a different location. This distinction reflects the more operational nature of processor obligations under the GDPR.

In practice, simply having a headquarters in the EU does not mean that office qualifies as the main establishment for GDPR purposes. It must be more than a formal address; it must reflect substantive control over how and why data is processed.

The EDPB’s Criteria for Main Establishment

The EDPB’s Opinion 04/2024 establishes a three-part test to determine whether a location genuinely qualifies as a main establishment. These criteria are now integrated into the CIPP/E curriculum and are likely to appear in exam scenarios.

To meet the threshold, a location must:

  1. Have authority over the purposes and means of processing: The site must be where strategic decisions regarding data processing are made.
  2. Be able to implement those decisions: It must possess the operational capacity to carry out decisions using its own resources.
  3. Maintain internal governance: This includes roles such as a Data Protection Officer (DPO), legal advisors, and compliance personnel who are actively involved in data processing oversight.

All three conditions must be satisfied. If a site lacks the ability to enforce decisions or lacks internal structures to manage compliance, it cannot qualify as the main establishment even if it plays a leadership role in the organization on paper.

Burden of Proof Lies with the Controller

The GDPR does not allow organizations to self-declare a main establishment without scrutiny. Instead, the controller bears the burden of proof for this designation.

Supervisory authorities are empowered to request documentation that supports the claimed status. This may include:

  • Organizational charts showing decision-making hierarchy
  • Documentation of data governance frameworks
  • Job descriptions and employment records for key roles
  • Evidence that decisions are implemented at the claimed site

Importantly, the LSA status is not permanent or automatic. Supervisory authorities can dispute or revoke it if they determine the location does not meet the operational or decision-making thresholds laid out by the EDPB. Organizations must be prepared to defend their designation, not just declare it.

Examples and Edge Cases That Matter

Understanding edge cases can significantly enhance your ability to answer nuanced questions on the exam and navigate real-world compliance challenges.

Example 1: Formal Headquarters vs. Actual Control

A technology company headquartered in Berlin might not qualify if all data decisions are made by a centralized team in Madrid. In this case, Madrid could be the main establishment under the GDPR, regardless of what internal documents suggest.

Example 2: Smaller Branch with Operational Authority

A small office in Amsterdam might qualify if it houses the DPO, legal team, and compliance operations, and if it makes and implements all decisions about data processing in the EU.

Example 3: Multinational Group Structures

For global organizations with multiple subsidiaries, the main establishment must be the legal entity within the EU that exercises genuine control over GDPR-related processing. This often involves analyzing intra-group agreements, lines of reporting, and decision-making structures.

In all these cases, regulators will look beyond appearances and focus on the substance of control and implementation.

Practical Tips for Proving Main Establishment

Organizations aiming to benefit from the one-stop shop should prepare now to demonstrate that they meet the EDPB’s criteria. This is also a critical competency area for CIPP/E candidates.

To strengthen your case:

  • Centralize GDPR decision-making: Ensure that decisions about personal data processing are made consistently in one location within the EU.
  • Staff the site with key roles: Include a DPO, legal advisors, and privacy operations professionals in the main establishment.
  • Document decision-making authority: Keep records of meetings, policies, and directives showing where decisions originate and how they are implemented.
  • Regularly update internal documents: This includes data processing records, org charts, and governance policies, which should clearly reflect the centralization of GDPR responsibilities.

These actions will also help mitigate the risk of regulatory challenges and enable smoother interactions with supervisory authorities.

How the CIPP/E Course Now Covers Main Establishment

The 2025 edition of the CIPP/E eLearning course fully integrates EDPB Opinion 04/2024 into its curriculum. Candidates are now expected to:

  • Analyze complex organizational structures to identify a valid main establishment
  • Understand how the designation affects cooperation and jurisdiction among supervisory authorities
  • Prepare proper documentation and governance models that comply with the one-stop shop mechanism

The course includes updated exam-style questions that reflect realistic scenarios involving cross-border processing, shared responsibilities, and LSA disputes. These additions ensure that privacy professionals are better prepared for real-world challenges and regulatory expectations.

Ready to Learn More?

Whether you're studying for the CIPP/E exam or advising a multinational client, understanding the EDPB’s latest opinion on main establishment is essential. The one-stop shop can provide real benefits, but only if the controller can demonstrate centralized decision-making and operational control.

Our updated CIPP/E Prep Suite gives you the tools to master this topic with confidence. From in-depth modules to practice assessments, you’ll be fully prepared for the questions that matter most on the 2025 exam.

Share this Post

Certify for AIGP

Certify for AIGP

Become an AI Governance Professional!

SAVE YOUR SEAT

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.